02 January 2018

Following the success of the one-day Secure Events and Security Congress in EMEA, (ISC)²’s new look two-day Secure Summits bring multi-subject sessions from hands on practical workshops to keynotes and panel discussions, featuring local and international industry experts to maximise the learning experience and CPE opportunities.

Serving the entire (ISC)² EMEA professional community with five regional events, the Summits offer a wealth of educational value, networking opportunities, and a community forum for likeminded professionals, all of which are FREE to (ISC)² members & (ISC)² Chapter members. Read on for insights from one of our popular Secure Summit UK sessions:

Day one of Secure Summit UK saw ethical hacker Ken Munro from Pen Test Partners take the stage to deliver a truly chilling demonstration of how easy it is to gain access to your data, and even spy on you through the vulnerabilities inherent in many modern IoT devices. His day job involves testing devices on the market and during this session, he revealed some of his findings.

IoT Kettle

Ken began by demonstrating how to hack into someone’s network via an internet connected kettle. Simply by taking the base apart he found the Wi-Fi module, and using readily available tools, he was able to find its IP address. A quick Google search brought up an online manual for the kettle, revealing its default password as ‘000000’. Also in the document were AT commands, including one which brings up the network’s wireless key.

Furthermore, he demonstrated that physically factory resetting the device resets the password but keeps the wireless key. This means that hackers can buy these kettles second hand on eBay and essentially buy people’s Wi-Fi passwords. Using a tool called Shodan, he revealed that you can geolocate all these devices as well, meaning a hacker can literally find where you live through your kettle.

Cayla Doll

Ken revealed that a Cayla Doll – an interactive talking children’s toy – can easily be hacked and be made to swear. Although it advertises an anti-profanity filter feature, by exploiting the PIN-less Bluetooth connection between the doll and its companion app, he was able to access the SQL database which contained the blacklist of swear words and easily delete it. The doll could then be made to say anything. Furthermore, the microphone could also be commandeered to effectively spy on the user.

Thermostats

Ken’s next demonstration was to show how hackers can even put ransomware on smart devices like a thermostat. He showed the audience how easy it was to find the device’s firmware online and by reading the code, he was able to find 14 different vulnerabilities where code can be inputted. Here, hackers can upload ransomware.

There are far wider implications from vulnerable thermostats. Currently, there are around 1 million IoT thermostats in the UK. What if you could control all the thermostats of the same brand because they have the same vulnerability? These could be commanded to turn on all the air-conditioning units at the same time, causing a huge power spike. This could bring down the power grid, and cause a blackout. This shows that our critical national infrastructure could be at stake because of insecure IoT thermostats.

Regulation

It’s clear that the gold rush of creating IoT devices has left our cybersecurity seriously compromised. But despite these vulnerabilities, things are starting to improve. Industry is starting to take security more seriously, and the new laws and regulations are coming to improve this situation. He explained that a Star Wars toy last year shipped with vulnerabilities but the manufacturer fixed them in just 8 days after they were pointed out, and thankfully the vulnerabilities he mentioned no longer exist. Furthermore, the EU is working on legislation that will help provide a standard of security across these types of devices.

In the meantime, he warned, to be wary of just how many threats there may be in internet connected devices around us.

Comments

Following the success of the one-day Secure Events and Security Congress in EMEA, (ISC)²’s new look two-day Secure Summits bring multi-subject sessions from hands on practical workshops to keynotes and panel discussions, featuring local and international industry experts to maximise the learning experience and CPE opportunities.

Serving the entire (ISC)² EMEA professional community with five regional events, the Summits offer a wealth of educational value, networking opportunities, and a community forum for likeminded professionals, all of which are FREE to (ISC)² members & (ISC)² Chapter members. Read on for insights from one of our popular Secure Summit UK sessions:

Day one of Secure Summit UK saw ethical hacker Ken Munro from Pen Test Partners take the stage to deliver a truly chilling demonstration of how easy it is to gain access to your data, and even spy on you through the vulnerabilities inherent in many modern IoT devices. His day job involves testing devices on the market and during this session, he revealed some of his findings.

IoT Kettle

Ken began by demonstrating how to hack into someone’s network via an internet connected kettle. Simply by taking the base apart he found the Wi-Fi module, and using readily available tools, he was able to find its IP address. A quick Google search brought up an online manual for the kettle, revealing its default password as ‘000000’. Also in the document were AT commands, including one which brings up the network’s wireless key.

Furthermore, he demonstrated that physically factory resetting the device resets the password but keeps the wireless key. This means that hackers can buy these kettles second hand on eBay and essentially buy people’s Wi-Fi passwords. Using a tool called Shodan, he revealed that you can geolocate all these devices as well, meaning a hacker can literally find where you live through your kettle.

Cayla Doll

Ken revealed that a Cayla Doll – an interactive talking children’s toy – can easily be hacked and be made to swear. Although it advertises an anti-profanity filter feature, by exploiting the PIN-less Bluetooth connection between the doll and its companion app, he was able to access the SQL database which contained the blacklist of swear words and easily delete it. The doll could then be made to say anything. Furthermore, the microphone could also be commandeered to effectively spy on the user.

Thermostats

Ken’s next demonstration was to show how hackers can even put ransomware on smart devices like a thermostat. He showed the audience how easy it was to find the device’s firmware online and by reading the code, he was able to find 14 different vulnerabilities where code can be inputted. Here, hackers can upload ransomware.

There are far wider implications from vulnerable thermostats. Currently, there are around 1 million IoT thermostats in the UK. What if you could control all the thermostats of the same brand because they have the same vulnerability? These could be commanded to turn on all the air-conditioning units at the same time, causing a huge power spike. This could bring down the power grid, and cause a blackout. This shows that our critical national infrastructure could be at stake because of insecure IoT thermostats.

Regulation

It’s clear that the gold rush of creating IoT devices has left our cybersecurity seriously compromised. But despite these vulnerabilities, things are starting to improve. Industry is starting to take security more seriously, and the new laws and regulations are coming to improve this situation. He explained that a Star Wars toy last year shipped with vulnerabilities but the manufacturer fixed them in just 8 days after they were pointed out, and thankfully the vulnerabilities he mentioned no longer exist. Furthermore, the EU is working on legislation that will help provide a standard of security across these types of devices.

In the meantime, he warned, to be wary of just how many threats there may be in internet connected devices around us.

About the (ISC)² Blog

As the certifying body for more than 125,000 cyber, information, software and infrastructure security professionals worldwide, (ISC)² believes in the importance of open dialogue and collaboration. (ISC)² established this blog to provide a voice to certified members, who have significant knowledge and valuable insights that can benefit other security professionals and the public at large.

The (ISC)² blog gives members a forum to exchange ideas and inspires a safe and secure cyber world by supporting the advancement of the information security workforce via a public exchange with a broad range of information security topics.

Whether an (ISC)² member chooses to participate in the (ISC)² blog is his or her own decision. The postings on this site are the author's own and don't necessarily represent (ISC)²'s positions, strategies or opinions. (ISC)² monitors the blog in accordance with the (ISC)² Blog Guidelines, but the bloggers are responsible for their own content – common sense and intelligence should prevail.

Other than links to the (ISC)² website, (ISC)² does not control or endorse any links to products or services provided in this blog and makes no warranty regarding the content on any other linked website.

Those who post comments to (ISC)² blogs should ensure their comments are focused on relevant topics that relate to the specific blog being discussed. (ISC)² reserves the right to remove any post or comment from this site. Should you find objectionable content in this blog, please notify us as soon as possible at blog@isc2.org